KEMP Series: How to Configure an L7 KEMP Virtual Load Balancer (VLB) for Exchange 2013

Tuesday, February 3, 2015
This is part three in a series of articles detailing load balancing for Exchange using the KEMP virtual load balancer (VLB). In this article we will be configuring the VLB as a Layer 7 load balancer for Exchange 2013.

The other articles in this series are:
My first article explains the basics of load balancing and how to download a free copy of KEMP Virtual Load Master.

In the second article I showed you how to configure the general settings for the LoadMaster. This includes configuring Ethernet settings, the Web UI, time and DNS settings, and SSL certificates. These settings are common to all types of load balancing configurations. Now I'm ready to show you how to configure the VLB as a Layer 7 load balancer for Exchange 2013.

As a refresher, here's an explanation of the differences between Layer 7 and Layer 4 load balancing.
Layer 7 Load Balancing
L7 load balancing happens at the application layer. Health checks are performed on the applications (for example OWA, EWS, ActiveSync, etc.). The SSL connection must terminate on the load balancer, the content is inspected, and then re-encrypted back to the real servers. This requires that the L7 load balancer has to have an understanding of the applications being load balanced. It also usually involves some sort of persistence, such as cookie-based or source IP. Because of all this, L7 load balancing is more complex. Exchange 2010 required L7 load balancing due to the different ways that each application protocol handled persistence. Exchange 2013 does not require persistence even when using L7 load balancing.

Layer 4 Load Balancing
L4 load balancing happens at the network layer after routing is compete (Routing occurs at Layer 3). Health checks are performed on the servers, not the applications. Layer 4 load balancers do not decrypt, inspect, and re-encrypt SSL traffic. This means L4 load balancers have higher performance and are less complex, but the load balanced application must support it. Exchange 2013 CAS is designed for L4 load balancing, but also supports L7 load balancing.

Download and Install the Templates

Start by downloading the LoadMaster templates from the KEMP documentation website. Templates contain the preconfigured setups for common load balanced applications. For Microsoft products that includes Exchange 2010 / 2013, Lync 2013, ADFS 2.0, and Remote Desktop Services (RDS).

Expand Microsoft > Exchange 2013. You will see that the Exchange 2013 templates include Core Services, ESP Services, and Additional Services. Edge Security Pack (ESP) Services include security configurations for Internet facing applications, such as pre-authentication templates. The Additional Services template includes secondary client access protocols such as POP and IMAP, as well as SMTP.

Download the Core Services template to a folder on your local computer. This will be a single Exchange2013Core.tmpl file.

Log into the LoadMaster with the bal account and navigate to Virtual Services > Manage Templates. Click Choose File, browse to the Exchange2013Core.tmpl file, and click Add New Template. The LoadMaster will display the four templates you just installed.

Configure Layer 7 Load Balancing

Expand Virtual Services > Add New to begin adding a new virtual service for Exchange 2013. Enter the virtual address (VIP) for your load balanced set of Exchange 2013 CAS servers (which should be every Exchange 2013 server in the AD site - you are doing only multi-role servers, right?) If you configured a custom port (8443) in general settings, you can use the same IP address that you use to access the VLB management UI.

Select the Exchange 2013 HTTPS Reencrypted template from the dropdown list. This will automatically populate port, protocol and service name. Since I will be using SSL bridging, I changed the service name to Exchange 2013 HTTPS Bridged. Click Add this Virtual Service.

The LoadMaster will then take you to the configuration of the new service. Examine the Basic Properties. Note that here you can activate or deactivate the virtual service.

Standard Options shows that Transparency is Disabled, persistence is set to None, the load balancing method uses Round Robin, and Idle Connections timeout in 1800 seconds (30 minutes).

Expand SSL Properties and you will see the SSL certificate you installed in my General Settings article as an Available Certificate. Select that certificate and click the ">" button to move it to Assigned Certificates.

I recommend configuring the VLB to use only TLS 1.x since TLS 2.0 and TLS 3.0 connections have known vulnerabilities. Click the TLS 1.x Ciphers Only checkbox which removes all the TLS 2.0 and 3.0 ciphers, Select all the ciphers and click the ">" button to move them to Assigned Ciphers, then click the Set Ciphers button. 

We will skip the Advanced Properties, WAF Options, and ESP Options since they are not used in this implementation.

Expand SubVSs and you will see each of the sub-virtual services that the template installed. There is one for each virtual service in Exchange 2013, including ActiveSync, Autodiscover, ECP, EWS, MAPI, OAB, PowerShell, and RPC.

Next we need to add the real servers for each SubVS. Click Modify for the Exchange 2013 HTTPS Bridged - ActiveSync SubVS. Click the Add New button under Real Servers.

Add the IP address of the real server to load balance and click the Add This Real Server button. Repeat for each real server you want to add to the load balanced set.

When you're done adding real servers for this SubVS click <-Back twice to return to the list of SubVSs. Repeat adding real servers for each SubVS.

Click Virtual Services > View/Modify Services. You will see two Virtual Services are published, one for HTTP redirection to HTTPS and the other that has all the SubVSs for Exchange 2013.

If any of  the Real Servers virtual directories are listed in red, it's either because it's missing real servers or they are all down. Click Add New under Certificate Installed. Select the certificate we installed when we configured General Settings and click the ">" button to assign it. Click the Save Changes button.

I usually change the HTTP redirection service to pass-through because I favor doing this on the Exchange servers. Either way you'll need to add the real servers to this rule, as you did above.

If you want to do HTTP pass-through to the real servers click Modify for the redirect. Rename the service name to MAIL_HTTP_PassThrough and click Set Nickname. Expand Advanced Properties. Clear the Error Code and clear the Redirect URL. Expand Real Servers and select HTTP Protocol for the Real Server Check Parameters. Then configure HTTP redirection directly on the Exchange servers.

Congratulations! You have configured Layer 7 load balancing for Exchange 2013.

A Note About Home Routers and Multiple SSL Endpoints

If you're installing this setup behind a home or consumer-based router you probably have few options for port forwarding. Usually you can only configure the router to forward all HTTPS traffic to a single internal IP address, and that will usually be the VLB.

In this case, you can configure the VLB to decide which endpoint to direct SSL or any other traffic to by using a new SubVS. For example, my Hyper-V lab server hosts many VM servers including three Exchange servers and a Thycotic Secret Server. Both the load balanced Exchange servers and the Thycotic server use port 443, so we need to configure the router to send all HTTPS traffic to the VLB, and configure the VLB to handle multiple endpoints.

Configure Multiple Endpoints

Note: If you're only load balancing Exchange and don't need the load balancer to direct HTTPS traffic to other endpoints, you're done and you can skip this section.

To add another endpoint to the VLB, add a new SubVS from Virtual Services > View/Modify Services. Click the Add New button and click Modify. Then enter a name for the SubVS (i.e., SecretServer) and click Set NickName.

Enter a portion of the URL for the virtual directory on the new server (i.e., /SecretServer/Login.aspx) for the URL and click the Set URL button.

Click Add New to create the new SubVS. This will take you to the Real Server parameters page.
Enter the IP address of the real server and click Add This Real Server. Your config should look like this:

Now click <-Back to get back to the SubVSs page. You'll notice that the Rules for this new SubVS show None. We need to configure a rule for the new server.

Expand Rules & Checking > Content Rules and click the Create New button. Enter a name for the Rule, such as Secret_Server. Note that rule names cannot contain spaces.

Enter HOST for the Header Field and the FQDN of the server in the Match String field. Click the checkbox for Ignore Case and click Create Rule.

Go back to Virtual Services > View/Modify Services. Click the Modify button for Exchange 2013 HTTPS Bridged. Now click the red None button for the rule of the SecretServer SubVS. Select Secret_Server from the rules drop-down list and click the Add button.

Now the router sends all HTTPS traffic to the VLB and the VLB sends the traffic to the correct endpoint.

This concludes the Layer 7 setup for Exchange 2013. My next article will cover configuring the KEMP virtual LoadMaster as a Layer 4 load balancer. My last article will explain how to restrict Exchange Admin Center access from the Internet.